In an era of ‘big data’, personal information is collected and ‘processed’ – in effect, subjected to a range of manual or automated operations including collection, organisation, storage, alteration, and disclosure – in a seemingly limitless range of circumstances and for a wide range of purposes. Although in many instances this may not be a cause for particular concern, at the heart of the UK’s Data Protection regime is the principle that individuals should have control over how their personal data are used, and a broad armoury of rights to prevent their personal, private information from being misused, against their reputational or commercial interests.


Carter-Ruck advises clients in relation to all of these questions, and on their important rights under the Data Protection regime.


We have pursued legal action on behalf of individuals seeking to challenge the information that firms hold about them, and make available to third parties. We have undertaken cases, achieving major successes, for clients ranging from UHNW individuals, politicians, directors and CEOs of international businesses and charities, to global stars in the entertainment industry and private individuals who encounter difficulties with their due diligence profile.


The Due Diligence Context

Data Protection rights can be invoked against a variety of organisations, whether against search engine operators, social media and in certain circumstances online publishers. However, focus is more and more falling on one area in particular: the activities of ‘due diligence’, ‘KYC’ (‘know your customer’), risk consultancy and credit reference agencies. With financial institutions required to meet stringent anti-money laundering obligations, and potential counterparties wanting to know precisely with whom they are planning to do business, there are an increasing number of private organisations offering due diligence services and products.


PEPs and Enhanced Due Diligence (EDD)

Whether those service providers maintain their own databases of ‘Politically Exposed Persons’ (PEP), such as World-Check or WorldCompliance, or offer more detailed, bespoke risk reports for Enhanced Due Diligence (EDD), their research is often compiled from ‘desktop’ reviews of publicly accessible sources, occasionally supplemented by some independent enquiries. However, such reports are typically only as good as the sources on which they rely, and where they are based on inaccurate, outdated, and unreliable information – or at worst, discredited and malicious sources – they can result in unbalanced, and potentially highly inaccurate information being published to financial institutions and other potential counterparties. In extreme cases, they can be a vehicle for commercial sabotage, with due diligence firms repeating defamatory allegations and baseless ‘fake news’.


Who can we help?

We have advised many clients who have been kept in the dark as to why a banking facility has been refused, or a prospective transaction has fallen through, only then to discover that inaccurate or out-of-date information about them, sometimes including unfounded allegations of wrongdoing, had been disclosed without their knowledge by a due diligence organisation. In the most extreme cases, clients have found that their ability to conduct business effectively, or even to obtain basic financial services, has been ruined unfairly by having a poor due diligence profile.


How can we help?

There are steps that can be taken to prevent or mitigate reputational and commercial harm including by invoking the rights of individuals under the UK Data Protection legislation to establish what information such due diligence organisations hold, with whom it has been shared, and in turn seeking the correction or erasure of any inaccurate, out of date or irrelevant information.


Data Protection Rights

The Data Protection rights of individuals are enshrined in the UK General Data Protection Regulation (GDPR), which, with the UK’s departure from European Union, was implemented to maintain and closely mirror the rights and obligations that have been in force across the EU since 2018 (and had in turn expanded a legal landscape developed over more than two decades).


Both the UK and EU GDPR set out seven data protection ‘principles’, governing the way in which personal data is to be handled. Personal data must be:

  1. Processed lawfully, fairly and transparently
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and, where necessary, kept up to date
  5. Stored for no longer than is necessary
  6. Handled in a way that ensures security, in both the integrity and confidentiality of the information
  7. Subject to ‘accountability’ – that is, organisations must be able to show that they take responsibility for the data they hold, and be able to demonstrate compliance with the other principles.


These core principles place a substantial obligation on organisations to act appropriately with people’s personal data. In turn, individuals (‘data subjects’) have a suite of corresponding rights under the UK GDPR, against any organisation that acts as a ‘controller’ of their personal information, including those that provide due diligence and associated services.


Using the Right of Access

These rights include an extensive ‘right of access’, entitling someone to be given (upon request) a copy of the personal information held by that organisation, an explanation as to the reasons why it is being processed, and information about the recipients to whom that personal data has been or will be disclosed.

The making of a Subject Access Request to due diligence firms is a relatively straightforward step, but one that can often reveal where inaccurate or otherwise prejudicial information is being processed.


We can help our clients use this right to lift the lid on the existence of personal information in due diligence reports and based on which commercially significant decisions have been made.


The Right to Object, and to Erasure

An individual’s Data Protection rights also include the right to object to an organisation’s processing of their personal information, relating to his or her particular situation; a right to have inaccurate personal information rectified without undue delay; and in some circumstances, a right to seek the erasure of their information on the basis of one or more grounds.

It is this latter right, that of erasure or the so-called ‘right to be forgotten’, that is arguably the most significant, giving individuals the right, albeit subject both to countervailing interests and certain specific exemptions, to demand that an organisation ceases ‘processing’ the personal information at all.


We have found this right to be particularly valuable to a range of clients seeking to improve their due diligence profile and secure the removal of inaccurate or otherwise prejudicial information.


Enforcing Data Protection Rights - the Court

In some situations, where the rectification or erasure of personal information cannot otherwise be achieved, an individual also has the option of pursuing court proceedings, seeking an order requiring compliance with their Right of Access, Right to Erasure and other Data Protection rights, potentially also claiming damages for distress where it is apparent that their personal data has been, or is being, processed unlawfully. This is a course that can be considered alongside other rights or actions, such as the law of defamation, to prevent the dissemination of inaccurate or outdated information.


Our expertise

Carter-Ruck is experienced in acting in such proceedings under UK Data Protection Law. For example, we represented a prominent businessman in a data protection claim against S-RM Intelligence and Risk Consulting Limited [S-RM], a due diligence firm which had prepared reports for clients for KYC purposes which contained serious inaccurate allegations about the businessman. The reports repeated false allegations made about him by third parties. In light of information and documentation provided by the businessman, S-RM agreed to delete the relevant reports and has informed the clients who received such reports accordingly.


We have secured numerous other favourable settlements for clients in the due diligence context, typically including

  • the amendment and erasure of information
  • the removal of inappropriate PEP categorisation
  • steps that protect the client against harmful future processing of inaccurate information
  • notification about rectification to the recipient of the information